使用 VBA 脚本解锁 VBA 密码
Glen Alfaro
2022年5月18日
编辑或修改 VBA 脚本对于使其功能更好和最新是必不可少的。但是,你需要编辑的 VBA 有密码并且你不知道该怎么做的时候到了。
本文将演示如何使用 VBA 代码解锁忘记或未知的 VBA 脚本密码。
VBA 密码简述逻辑
- 代码会调用一个系统函数来创建一个输入密码的对话框。
- 如果密码正确,函数返回
1
。如果没有,将返回0
。 - 密码对话框关闭后,系统会期待返回值。
- 如果返回值为
1
,系统将确认这是一个正确的密码。因此 VBA 项目将被解锁。
下面的代码将演示如何将 Password Checker
函数的内存交换为用户定义的函数,该函数在调用时将返回 1
。
Option Explicit
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LPtr, _
ByVal dwSize As LPtr, ByVal flNewProtect As LPtr, lpflOldProtect As LPtr) As LPtr
Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LPtr
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LPtr, _
ByVal lpProcName As String) As LPtr
Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LPtr, Source As LPtr, ByVal Length As LPtr)
Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr,ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer
Dim HBytes(0 To 5) As Byte
Dim OBytes(0 To 5) As Byte
Dim pFunc As LPtr
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As LPtr) As LPtr
GetPtr = Value
End Function
Public Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As LPtr
Dim OriginProtect As LPtr
Hook = False
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
p = GetPtr(AddressOf MyDialogBoxParam)
HookBytes(0) = &H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5) = &HC3
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
Flag = True
Hook = True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr, _
ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer
If pTemplateName = 4070 Then
MyDialogBoxParam = 1
Else
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
Hook
End If
End Function
Sub UnprotectedVBACode()
'Run this subroutine to unlock the VBA project.
If Hook Then
Debug.print ("VBA Project was cracked.")
End If
End Sub